Avoiding Leakage and Synchronization Attacks through Enclave-Side - - PowerPoint PPT Presentation

Avoiding Leakage and Synchronization Attacks through Enclave-Side Preemption Control

Marcus Völp, Adam Lackorzynski*, Jérémie Decouchant, Vincent Rahli, Francisco Rocha, and Paulo Esteves-Veríssimo

1st Workshop on System Software for Trusted Execution (SysTEX 2016), Dec. 12, 2016, Trento, Italy

University of Luxembourg SnT CritiX Lab Luxembourg <name>.<surname>@uni.lu

*Kernkonzept GmbH and

TU Dresden – Operating-systems group Dresden, Germany adam.lackorzynski@kernkonzept.com

2

The functionality/code size dilemma

Avoiding Leakage and Synchronization Attacks through Enclave-Side Preemption Control - SysTEX 2016 - Marcus Völp (marcus.voelp@uni.lu)

• application scenarios require the system to

implement a certain set of functionalities

• implementing these functionalities comes at the cost of a

certain minimal amount of code

– even if development time and costs don’t matter; and – even if you only use high-class developers

• correlation of code size and complexity to vulnerabilities

– Chou et al., “An Empirical Study of Operating Systems Errors”, SOSP 2001 – Asadollah et al., “A Study of Concurrency Bugs in an Open Source Software”, OSS 2016

3

The functionality/code size dilemma

Avoiding Leakage and Synchronization Attacks through Enclave-Side Preemption Control - SysTEX 2016 - Marcus Völp (marcus.voelp@uni.lu)

• application scenarios require the system to

implement a certain set of functionalities

• implementing these functionalities comes at the cost of a

certain minimal amount of code

– even if development time and costs don’t matter; and – even if you only use high-class developers

• correlation of code size and complexity to vulnerabilities

– Chou et al., “An Empirical Study of Operating Systems Errors”, SOSP 2001 – Asadollah et al., “A Study of Concurrency Bugs in an Open Source Software”, OSS 2016

• RTOS
• ca. 5 KLOC
• Microkernel

10 – 15 KLOC

• Legacy OS

15 – 50 MLOC

5-13 PY formal verification

4

Legacy OS

Intransitive trust

Avoiding Leakage and Synchronization Attacks through Enclave-Side Preemption Control - SysTEX 2016 - Marcus Völp (marcus.voelp@uni.lu)

Driver FS Stub legacy App App Player secure App secure App

5

Legacy OS

Intransitive trust

Avoiding Leakage and Synchronization Attacks through Enclave-Side Preemption Control - SysTEX 2016 - Marcus Völp (marcus.voelp@uni.lu)

Driver FS Stub legacy App App En-/Decryption VPFS secure App secure App Player Codec Framebuffer Mgr. Resource Mgmt

• Weinhold et al., “jVPFS: Adding Robustness to a Secure Stacked File

System with Untrusted Local Storage Components”, USENIX ATC, 2011

• Singaravelu et al., “Reducing TCB Complexity for Security-Sensitive

Applications: Three Case Studies”, Eurosys, 2006

• …

Asmussen, Völp, … ASPLOS ‘16

tudos.org

6

Legacy OS

Intransitive trust

Avoiding Leakage and Synchronization Attacks through Enclave-Side Preemption Control - SysTEX 2016 - Marcus Völp (marcus.voelp@uni.lu)

Driver FS Stub legacy App App En-/Decryption VPFS secure App secure App Player Codec Framebuffer Mgr. Resource Mgmt Intel SGX ARM Trustzone / … microhypervisor Inktag Hoffmann et al. ‘13 Manycore + DTUs M3 Asmussen, Völp, … ASPLOS ‘16

7

SGX Vulnerabilities

Avoiding Leakage and Synchronization Attacks through Enclave-Side Preemption Control - SysTEX 2016 - Marcus Völp (marcus.voelp@uni.lu)

Fine grain preemption control to widen the window of vulnerability

• f synchronization bugs

Source: AsyncShock

8

SGX Vulnerabilities

Avoiding Leakage and Synchronization Attacks through Enclave-Side Preemption Control - SysTEX 2016 - Marcus Völp (marcus.voelp@uni.lu)

Fine grain preemption control to widen the window of vulnerability

• f synchronization bugs

Fine grain preemption control to widen the window of vulnerability for side-channel attacks

9

SGX Vulnerabilities

Avoiding Leakage and Synchronization Attacks through Enclave-Side Preemption Control - SysTEX 2016 - Marcus Völp (marcus.voelp@uni.lu)

• Running Example:

Osvik et al., “Cache Attacks and Countermeasures: the Case of AES”, CT-RSA 2006

source: wikimedia

in-memory tables Ti

10

SGX Vulnerabilities

Avoiding Leakage and Synchronization Attacks through Enclave-Side Preemption Control - SysTEX 2016 - Marcus Völp (marcus.voelp@uni.lu)

• Running Example:

Osvik et al., “Cache Attacks and Countermeasures: the Case of AES”, CT-RSA 2006

R5 = read Ti[xj] R0 = xor R0, R5 … read Ti[0] … read Ti[n] Ti Ti

11

SGX Vulnerabilities

Avoiding Leakage and Synchronization Attacks through Enclave-Side Preemption Control - SysTEX 2016 - Marcus Völp (marcus.voelp@uni.lu)

• Running Example:

Osvik et al., “Cache Attacks and Countermeasures: the Case of AES”, CT-RSA 2006

R6 = read Ti[0] cmp 0, xj R5 = cmov R6 R0 = xor R0, R5 … Ti Ti low indistinguishable data access pattern embedded into low indistinguishable control flow

12

SGX Vulnerabilities

Avoiding Leakage and Synchronization Attacks through Enclave-Side Preemption Control - SysTEX 2016 - Marcus Völp (marcus.voelp@uni.lu)

• Running Example:

Osvik et al., “Cache Attacks and Countermeasures: the Case of AES”, CT-RSA 2006

R5 = read Ti[xj] R0 = xor R0, R5 … read Ti[0] … read Ti[n] Ti Ti disable preemptions enable preemptions

13

This talk

Avoiding Leakage and Synchronization Attacks through Enclave-Side Preemption Control - SysTEX 2016 - Marcus Völp (marcus.voelp@uni.lu)

• How can we allow user-level

applications (in enclaves) to disable preemptions without being able to monopolizing the system?

• How can we prevent solicited

exits through which the management OS could regain control?

• How can we translate delayed-

preemption to Intel SGX? Re-investigate delayed-preemption:

14

This talk

Avoiding Leakage and Synchronization Attacks through Enclave-Side Preemption Control - SysTEX 2016 - Marcus Völp (marcus.voelp@uni.lu)

R5 = read Ti[xj] R0 = xor R0, R5 … read Ti[0] … read Ti[n] disable preemptions enable preemptions

How can we make sure the enclave enables preemptions again? How can we prevent solicited exits in sensitive code?

15

This talk

Avoiding Leakage and Synchronization Attacks through Enclave-Side Preemption Control - SysTEX 2016 - Marcus Völp (marcus.voelp@uni.lu)

R5 = read Ti[xj] R0 = xor R0, R5 … read Ti[0] … read Ti[n] disable preemptions enable preemptions prepare if preempted goto retry

How can we make sure the enclave enables preemptions again? How can we prevent solicited exits in sensitive code?

16

Delayed Preemption

• … in a Trusted-Trustworthy Hypervisor

time user / enclave mode kernel mode disable all interrupts except timer program timer to max_tolerable_delay inform app about pending preemption: p = 1 execute delayed preemptions

Avoiding Leakage and Synchronization Attacks through Enclave-Side Preemption Control - SysTEX 2016 - Marcus Völp (marcus.voelp@uni.lu)

17

Delayed Preemption

• … in a Trusted-Trustworthy Hypervisor

time user / enclave mode kernel mode disable all interrupts except timer program timer to max_tolerable_delay inform app about pending preemption: p = 1 execute delayed preemptions … max_tolerable_delay

Avoiding Leakage and Synchronization Attacks through Enclave-Side Preemption Control - SysTEX 2016 - Marcus Völp (marcus.voelp@uni.lu)

18

Delayed Preemption

• … in a Trusted-Trustworthy Hypervisor

time user / enclave mode kernel mode

Avoiding Leakage and Synchronization Attacks through Enclave-Side Preemption Control - SysTEX 2016 - Marcus Völp (marcus.voelp@uni.lu)

sensitive code max_tolerable_delay

19

Delayed Preemption

• … in SGX

time user / enclave mode kernel mode

Avoiding Leakage and Synchronization Attacks through Enclave-Side Preemption Control - SysTEX 2016 - Marcus Völp (marcus.voelp@uni.lu)

sensitive code max_tolerable_delay xAPIC register

20

max_tolerable_delay max_tolerable_delay

Delayed Preemption

• … in SGX

time user / enclave mode kernel mode

Avoiding Leakage and Synchronization Attacks through Enclave-Side Preemption Control - SysTEX 2016 - Marcus Völp (marcus.voelp@uni.lu)

sensitive code xAPIC register xAPIC: set timer on first preemption; don’t interrupt application local xAPIC register; write only in kernel mode (i.e., not in enclave mode) not virtualizable

21

Solicited Exits

Avoiding Leakage and Synchronization Attacks through Enclave-Side Preemption Control - SysTEX 2016 - Marcus Völp (marcus.voelp@uni.lu)

R5 = read Ti[xj] R0 = xor R0, R5 … read Ti[0] … read Ti[n] disable preemptions enable preemptions prepare if preempted goto retry

22

xApic.d = 0 // if (xApic.p = 1) -> AEX retry: xApic.d = 1; prepare if (p = 1) goto retry

Solicited Exits

Avoiding Leakage and Synchronization Attacks through Enclave-Side Preemption Control - SysTEX 2016 - Marcus Völp (marcus.voelp@uni.lu)

R5 = read Ti[xj] R0 = xor R0, R5 … read Ti[0] … read Ti[n]

How to prevent solicited exits in sensitive code?

  max_tolerable_delay

• data / instruction page-faults
• lazy FPU context switch
• power management
• device virtualization

Trigger all such exits during non-sensitive prepare phase; Set p flag to make code aware of these exits; Context switch p flag as part of enclave state

23

Solicited Exits

Avoiding Leakage and Synchronization Attacks through Enclave-Side Preemption Control - SysTEX 2016 - Marcus Völp (marcus.voelp@uni.lu)

T0 T1 T2 T3 f g retry: d = 1; //prepare call pg(f) call pg(g)

• r $0, [pg(T0)]
• r $0, [pg(T1)]
• r $0, [pg(T2)]
• r $0, [pg(T3)]

if (p = 1) goto retry

• data / instruction TLB

set p-flag on instruction / data pagefault

Recall: cross-CPU page-table changes require IPIs to shootdown TLBs

24

prepare if (p = 1) goto retry xApic.d = 0 // if (xApic.p = 1) -> AEX

Solicited Exits

Avoiding Leakage and Synchronization Attacks through Enclave-Side Preemption Control - SysTEX 2016 - Marcus Völp (marcus.voelp@uni.lu)

R5 = read Ti[xj] R0 = xor R0, R5 … read Ti[0] … read Ti[n]

How to prevent solicited exits in sensitive code?

retry: xApic.d = 1;

• data / instruction page-faults
• lazy FPU context switch
• power management
• device virtualization

access pages / FPU; check p-flag report power state access device MMIO / ports; check p-flag check max_tolerable_delay > WCET(prepare + sensitive)

• f current power state

max_tolerable_delay

25

Concurrency Bugs

• Cannot fix concurrency bugs by delaying preemptions
• Avoid widening the window of vulnerability

Avoiding Leakage and Synchronization Attacks through Enclave-Side Preemption Control - SysTEX 2016 - Marcus Völp (marcus.voelp@uni.lu)

disable preemptions free object invalidate pointer enable preemptions disable preemptions if (pointer) use object enable preemptions ||

26

This talk in one slide…

Legacy OS

Driver FS Stub legacy App App En-/Decryption VPFS secure App secure App Player Codec Framebuffer Mgr. Resource Mgmt Intel SGX ARM Trustzone / … microhypervisor Inktag Hoffmann et al. ‘13

…

Manycore + DTUs M3 Asmussen, Völp, … ASPLOS ‘16

intransitive trust: enabler for TCB reduction CritiX Lab (Critical and Extreme Security and Dependability) Interdisciplinary Centre for Security, Reliability and Trust - University of Luxembourg

PEARL Grant FNR/P14/8149128 – Paulo Esteves-Veríssimo

We are hiring bright post-docs and research associates!

27

This talk in one slide…

Legacy OS

Driver FS Stub legacy App App En-/Decryption VPFS secure App secure App Player Codec Framebuffer Mgr. Resource Mgmt Intel SGX ARM Trustzone / … microhypervisor Inktag Hoffmann et al. ‘13

…

Manycore + DTUs M3 Asmussen, Völp, … ASPLOS ‘16

intransitive trust: enabler for TCB reduction CritiX Lab (Critical and Extreme Security and Dependability) Interdisciplinary Centre for Security, Reliability and Trust - University of Luxembourg

PEARL Grant FNR/P14/8149128 – Paulo Esteves-Veríssimo

We are hiring bright post-docs and research associates!

delayed-preemption mechanism prevents widening attack windows

R5 = read Ti[xj] R0 = xor R0, R5 … read Ti[0] … read Ti[n] disable preemptions enable preemptions prepare if preempted goto retry

28

This talk in one slide…

Legacy OS

Driver FS Stub legacy App App En-/Decryption VPFS secure App secure App Player Codec Framebuffer Mgr. Resource Mgmt Intel SGX ARM Trustzone / … microhypervisor Inktag Hoffmann et al. ‘13

…

Manycore + DTUs M3 Asmussen, Völp, … ASPLOS ‘16

intransitive trust: enabler for TCB reduction CritiX Lab (Critical and Extreme Security and Dependability) Interdisciplinary Centre for Security, Reliability and Trust - University of Luxembourg

PEARL Grant FNR/P14/8149128 – Paulo Esteves-Veríssimo

We are hiring bright post-docs and research associates!

delayed-preemption mechanism prevents widening attack windows

R5 = read Ti[xj] R0 = xor R0, R5 … read Ti[0] … read Ti[n] disable preemptions enable preemptions prepare if preempted goto retry

max_tolerable_delay max_tolerable_delay time user / enclave mode kernel mode sensitive code xAPIC register xAPIC: set timer on first preemption; don’t interrupt application local xAPIC register; write only in kernel mode (i.e., not in enclave mode) not virtualizable

… and it can be integrated in SGX